search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add unit tests for IPv6 address summaries and IPv4 netblock rejection
[tor.git] / src / test / test_policy.c
blobfb7195abfaf7dbf6359a9d22c05b9b2578cc636b
1 /* Copyright (c) 2013-2016, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #include "or.h"
5 #define CONFIG_PRIVATE
6 #include "config.h"
7 #include "router.h"
8 #include "routerparse.h"
9 #define POLICIES_PRIVATE
10 #include "policies.h"
11 #include "test.h"
12
13 /* Helper: assert that short_policy parses and writes back out as itself,
14 or as <b>expected</b> if that's provided. */
15 static void
16 test_short_policy_parse(const char *input,
17 const char *expected)
18 {
19 short_policy_t *short_policy = NULL;
20 char *out = NULL;
21
22 if (expected == NULL)
23 expected = input;
24
25 short_policy = parse_short_policy(input);
26 tt_assert(short_policy);
27 out = write_short_policy(short_policy);
28 tt_str_op(out, OP_EQ, expected);
29
30 done:
31 tor_free(out);
32 short_policy_free(short_policy);
33 }
34
35 /** Helper: Parse the exit policy string in <b>policy_str</b> with
36 * <b>options</b>, and make sure that policies_summarize() produces the string
37 * <b>expected_summary</b> from it when called with family. */
38 static void
39 test_policy_summary_helper_family_flags(const char *policy_str,
40 const char *expected_summary,
41 sa_family_t family,
42 exit_policy_parser_cfg_t options)
43 {
44 config_line_t line;
45 smartlist_t *policy = smartlist_new();
46 char *summary = NULL;
47 char *summary_after = NULL;
48 int r;
49 short_policy_t *short_policy = NULL;
50 int success = 0;
51
52 line.key = (char*)"foo";
53 line.value = (char *)policy_str;
54 line.next = NULL;
55
56 r = policies_parse_exit_policy(&line, &policy,
57 options, NULL);
58 tt_int_op(r,OP_EQ, 0);
59
60 summary = policy_summarize(policy, family);
61
62 tt_assert(summary != NULL);
63 tt_str_op(summary,OP_EQ, expected_summary);
64
65 short_policy = parse_short_policy(summary);
66 tt_assert(short_policy);
67 summary_after = write_short_policy(short_policy);
68 tt_str_op(summary,OP_EQ, summary_after);
69
70 success = 1;
71 done:
72 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
73 if (!success)
74 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
75 family == AF_INET ? 4 : 6, options, policy_str));
76 tor_free(summary_after);
77 tor_free(summary);
78 if (policy)
79 addr_policy_list_free(policy);
80 short_policy_free(short_policy);
81 }
82
83 /** Like test_policy_summary_helper_family_flags, but tries all the different
84 * flag combinations */
85 static void
86 test_policy_summary_helper_family(const char *policy_str,
87 const char *expected_summary,
88 sa_family_t family)
89 {
90 for (exit_policy_parser_cfg_t opt = 0;
91 opt <= EXIT_POLICY_OPTION_ALL;
92 opt++) {
93 if (family == AF_INET6 && !(opt & EXIT_POLICY_IPV6_ENABLED))
94 /* Skip the test: IPv6 addresses need IPv6 enabled */
95 continue;
96
97 if (opt & EXIT_POLICY_REJECT_LOCAL_INTERFACES)
98 /* Skip the test: local interfaces are machine-specific */
99 continue;
100
101 test_policy_summary_helper_family_flags(policy_str, expected_summary,
102 family, opt);
103 }
104 }
105
106 /** Like test_policy_summary_helper_family, but uses expected_summary for
107 * both IPv4 and IPv6. */
108 static void
109 test_policy_summary_helper(const char *policy_str,
110 const char *expected_summary)
111 {
112 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET);
113 test_policy_summary_helper_family(policy_str, expected_summary, AF_INET6);
114 }
115
116 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
117 * IPv4 and expected_summary6 for IPv6. */
118 static void
119 test_policy_summary_helper6(const char *policy_str,
120 const char *expected_summary4,
121 const char *expected_summary6)
122 {
123 test_policy_summary_helper_family(policy_str, expected_summary4, AF_INET);
124 test_policy_summary_helper_family(policy_str, expected_summary6, AF_INET6);
125 }
126
127 /** Run unit tests for generating summary lines of exit policies */
128 static void
129 test_policies_general(void *arg)
130 {
131 int i;
132 smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
133 *policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
134 *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
135 *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
136 addr_policy_t *p;
137 tor_addr_t tar, tar2;
138 smartlist_t *addr_list = NULL;
139 config_line_t line;
140 smartlist_t *sm = NULL;
141 char *policy_str = NULL;
142 short_policy_t *short_parsed = NULL;
143 int malformed_list = -1;
144 (void)arg;
145
146 policy = smartlist_new();
147
148 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
149 &malformed_list);
150 tt_assert(p != NULL);
151 tt_int_op(ADDR_POLICY_REJECT,OP_EQ, p->policy_type);
152 tor_addr_from_ipv4h(&tar, 0xc0a80000u);
153 tt_int_op(0,OP_EQ, tor_addr_compare(&p->addr, &tar, CMP_EXACT));
154 tt_int_op(16,OP_EQ, p->maskbits);
155 tt_int_op(1,OP_EQ, p->prt_min);
156 tt_int_op(65535,OP_EQ, p->prt_max);
157
158 smartlist_add(policy, p);
159
160 tor_addr_from_ipv4h(&tar, 0x01020304u);
161 tt_assert(ADDR_POLICY_ACCEPTED ==
162 compare_tor_addr_to_addr_policy(&tar, 2, policy));
163 tor_addr_make_unspec(&tar);
164 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED ==
165 compare_tor_addr_to_addr_policy(&tar, 2, policy));
166 tor_addr_from_ipv4h(&tar, 0xc0a80102);
167 tt_assert(ADDR_POLICY_REJECTED ==
168 compare_tor_addr_to_addr_policy(&tar, 2, policy));
169
170 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2,
171 EXIT_POLICY_IPV6_ENABLED |
172 EXIT_POLICY_REJECT_PRIVATE |
173 EXIT_POLICY_ADD_DEFAULT, NULL));
174
175 tt_assert(policy2);
176
177 tor_addr_from_ipv4h(&tar, 0x0306090cu);
178 tor_addr_parse(&tar2, "[2000::1234]");
179 addr_list = smartlist_new();
180 smartlist_add(addr_list, &tar);
181 smartlist_add(addr_list, &tar2);
182 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
183 EXIT_POLICY_IPV6_ENABLED |
184 EXIT_POLICY_REJECT_PRIVATE |
185 EXIT_POLICY_ADD_DEFAULT,
186 addr_list));
187 smartlist_free(addr_list);
188 addr_list = NULL;
189
190 tt_assert(policy12);
191
192 policy3 = smartlist_new();
193 p = router_parse_addr_policy_item_from_string("reject *:*", -1,
194 &malformed_list);
195 tt_assert(p != NULL);
196 smartlist_add(policy3, p);
197 p = router_parse_addr_policy_item_from_string("accept *:*", -1,
198 &malformed_list);
199 tt_assert(p != NULL);
200 smartlist_add(policy3, p);
201
202 policy4 = smartlist_new();
203 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
204 &malformed_list);
205 tt_assert(p != NULL);
206 smartlist_add(policy4, p);
207 p = router_parse_addr_policy_item_from_string("accept *:443", -1,
208 &malformed_list);
209 tt_assert(p != NULL);
210 smartlist_add(policy4, p);
211
212 policy5 = smartlist_new();
213 p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
214 &malformed_list);
215 tt_assert(p != NULL);
216 smartlist_add(policy5, p);
217 p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
218 &malformed_list);
219 tt_assert(p != NULL);
220 smartlist_add(policy5, p);
221 p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
222 &malformed_list);
223 tt_assert(p != NULL);
224 smartlist_add(policy5, p);
225 p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
226 -1, &malformed_list);
227 tt_assert(p != NULL);
228 smartlist_add(policy5, p);
229 p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
230 &malformed_list);
231 tt_assert(p != NULL);
232 smartlist_add(policy5, p);
233 p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
234 &malformed_list);
235 tt_assert(p != NULL);
236 smartlist_add(policy5, p);
237 p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
238 &malformed_list);
239 tt_assert(p != NULL);
240 smartlist_add(policy5, p);
241 p = router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
242 &malformed_list);
243 tt_assert(p != NULL);
244 smartlist_add(policy5, p);
245 p = router_parse_addr_policy_item_from_string("reject *:65535", -1,
246 &malformed_list);
247 tt_assert(p != NULL);
248 smartlist_add(policy5, p);
249 p = router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
250 &malformed_list);
251 tt_assert(p != NULL);
252 smartlist_add(policy5, p);
253
254 policy6 = smartlist_new();
255 p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
256 &malformed_list);
257 tt_assert(p != NULL);
258 smartlist_add(policy6, p);
259
260 policy7 = smartlist_new();
261 p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
262 &malformed_list);
263 tt_assert(p != NULL);
264 smartlist_add(policy7, p);
265
266 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
267 EXIT_POLICY_IPV6_ENABLED |
268 EXIT_POLICY_REJECT_PRIVATE |
269 EXIT_POLICY_ADD_DEFAULT,
270 NULL));
271
272 tt_assert(policy8);
273
274 tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
275 EXIT_POLICY_REJECT_PRIVATE |
276 EXIT_POLICY_ADD_DEFAULT,
277 NULL));
278
279 tt_assert(policy9);
280
281 /* accept6 * and reject6 * produce IPv6 wildcards only */
282 policy10 = smartlist_new();
283 p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
284 &malformed_list);
285 tt_assert(p != NULL);
286 smartlist_add(policy10, p);
287
288 policy11 = smartlist_new();
289 p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
290 &malformed_list);
291 tt_assert(p != NULL);
292 smartlist_add(policy11, p);
293
294 tt_assert(!exit_policy_is_general_exit(policy));
295 tt_assert(exit_policy_is_general_exit(policy2));
296 tt_assert(!exit_policy_is_general_exit(NULL));
297 tt_assert(!exit_policy_is_general_exit(policy3));
298 tt_assert(!exit_policy_is_general_exit(policy4));
299 tt_assert(!exit_policy_is_general_exit(policy5));
300 tt_assert(!exit_policy_is_general_exit(policy6));
301 tt_assert(!exit_policy_is_general_exit(policy7));
302 tt_assert(exit_policy_is_general_exit(policy8));
303 tt_assert(exit_policy_is_general_exit(policy9));
304 tt_assert(!exit_policy_is_general_exit(policy10));
305 tt_assert(!exit_policy_is_general_exit(policy11));
306
307 tt_assert(cmp_addr_policies(policy, policy2));
308 tt_assert(cmp_addr_policies(policy, NULL));
309 tt_assert(!cmp_addr_policies(policy2, policy2));
310 tt_assert(!cmp_addr_policies(NULL, NULL));
311
312 tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
313 tt_assert(policy_is_reject_star(policy, AF_INET, 1));
314 tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
315 tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
316 tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
317 tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
318 tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
319 tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
320 tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
321 tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
322
323 addr_policy_list_free(policy);
324 policy = NULL;
325
326 /* make sure assume_action works */
327 malformed_list = 0;
328 p = router_parse_addr_policy_item_from_string("127.0.0.1",
329 ADDR_POLICY_ACCEPT,
330 &malformed_list);
331 tt_assert(p);
332 addr_policy_free(p);
333 tt_assert(!malformed_list);
334
335 p = router_parse_addr_policy_item_from_string("127.0.0.1:*",
336 ADDR_POLICY_ACCEPT,
337 &malformed_list);
338 tt_assert(p);
339 addr_policy_free(p);
340 tt_assert(!malformed_list);
341
342 p = router_parse_addr_policy_item_from_string("[::]",
343 ADDR_POLICY_ACCEPT,
344 &malformed_list);
345 tt_assert(p);
346 addr_policy_free(p);
347 tt_assert(!malformed_list);
348
349 p = router_parse_addr_policy_item_from_string("[::]:*",
350 ADDR_POLICY_ACCEPT,
351 &malformed_list);
352 tt_assert(p);
353 addr_policy_free(p);
354 tt_assert(!malformed_list);
355
356 p = router_parse_addr_policy_item_from_string("[face::b]",
357 ADDR_POLICY_ACCEPT,
358 &malformed_list);
359 tt_assert(p);
360 addr_policy_free(p);
361 tt_assert(!malformed_list);
362
363 p = router_parse_addr_policy_item_from_string("[b::aaaa]",
364 ADDR_POLICY_ACCEPT,
365 &malformed_list);
366 tt_assert(p);
367 addr_policy_free(p);
368 tt_assert(!malformed_list);
369
370 p = router_parse_addr_policy_item_from_string("*",
371 ADDR_POLICY_ACCEPT,
372 &malformed_list);
373 tt_assert(p);
374 addr_policy_free(p);
375 tt_assert(!malformed_list);
376
377 p = router_parse_addr_policy_item_from_string("*4",
378 ADDR_POLICY_ACCEPT,
379 &malformed_list);
380 tt_assert(p);
381 addr_policy_free(p);
382 tt_assert(!malformed_list);
383
384 p = router_parse_addr_policy_item_from_string("*6",
385 ADDR_POLICY_ACCEPT,
386 &malformed_list);
387 tt_assert(p);
388 addr_policy_free(p);
389 tt_assert(!malformed_list);
390
391 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
392 p = router_parse_addr_policy_item_from_string("acce::abcd",
393 ADDR_POLICY_ACCEPT,
394 &malformed_list);
395 tt_assert(!p);
396 tt_assert(malformed_list);
397 malformed_list = 0;
398
399 p = router_parse_addr_policy_item_from_string("7:1234",
400 ADDR_POLICY_ACCEPT,
401 &malformed_list);
402 tt_assert(!p);
403 tt_assert(malformed_list);
404 malformed_list = 0;
405
406 p = router_parse_addr_policy_item_from_string("::",
407 ADDR_POLICY_ACCEPT,
408 &malformed_list);
409 tt_assert(!p);
410 tt_assert(malformed_list);
411 malformed_list = 0;
412
413 /* make sure compacting logic works. */
414 policy = NULL;
415 line.key = (char*)"foo";
416 line.value = (char*)"accept *:80,reject private:*,reject *:*";
417 line.next = NULL;
418 tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy,
419 EXIT_POLICY_IPV6_ENABLED |
420 EXIT_POLICY_ADD_DEFAULT, NULL));
421 tt_assert(policy);
422
423 //test_streq(policy->string, "accept *:80");
424 //test_streq(policy->next->string, "reject *:*");
425 tt_int_op(smartlist_len(policy),OP_EQ, 4);
426
427 /* test policy summaries */
428 /* check if we properly ignore private IP addresses */
429 test_policy_summary_helper("reject 192.168.0.0/16:*,"
430 "reject 0.0.0.0/8:*,"
431 "reject 10.0.0.0/8:*,"
432 "accept *:10-30,"
433 "accept *:90,"
434 "reject *:*",
435 "accept 10-30,90");
436 /* check all accept policies, and proper counting of rejects */
437 test_policy_summary_helper("reject 11.0.0.0/9:80,"
438 "reject 12.0.0.0/9:80,"
439 "reject 13.0.0.0/9:80,"
440 "reject 14.0.0.0/9:80,"
441 "accept *:*", "accept 1-65535");
442 test_policy_summary_helper("reject 11.0.0.0/9:80,"
443 "reject 12.0.0.0/9:80,"
444 "reject 13.0.0.0/9:80,"
445 "reject 14.0.0.0/9:80,"
446 "reject 15.0.0.0:81,"
447 "accept *:*", "accept 1-65535");
448 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
449 "reject 12.0.0.0/9:80,"
450 "reject 13.0.0.0/9:80,"
451 "reject 14.0.0.0/9:80,"
452 "reject 15.0.0.0:80,"
453 "accept *:*",
454 "reject 80",
455 "accept 1-65535");
456 /* no exits */
457 test_policy_summary_helper("accept 11.0.0.0/9:80,"
458 "reject *:*",
459 "reject 1-65535");
460 /* port merging */
461 test_policy_summary_helper("accept *:80,"
462 "accept *:81,"
463 "accept *:100-110,"
464 "accept *:111,"
465 "reject *:*",
466 "accept 80-81,100-111");
467 /* border ports */
468 test_policy_summary_helper("accept *:1,"
469 "accept *:3,"
470 "accept *:65535,"
471 "reject *:*",
472 "accept 1,3,65535");
473 /* holes */
474 test_policy_summary_helper("accept *:1,"
475 "accept *:3,"
476 "accept *:5,"
477 "accept *:7,"
478 "reject *:*",
479 "accept 1,3,5,7");
480 test_policy_summary_helper("reject *:1,"
481 "reject *:3,"
482 "reject *:5,"
483 "reject *:7,"
484 "accept *:*",
485 "reject 1,3,5,7");
486 /* long policies */
487 /* standard long policy on many exits */
488 test_policy_summary_helper("accept *:20-23,"
489 "accept *:43,"
490 "accept *:53,"
491 "accept *:79-81,"
492 "accept *:88,"
493 "accept *:110,"
494 "accept *:143,"
495 "accept *:194,"
496 "accept *:220,"
497 "accept *:389,"
498 "accept *:443,"
499 "accept *:464,"
500 "accept *:531,"
501 "accept *:543-544,"
502 "accept *:554,"
503 "accept *:563,"
504 "accept *:636,"
505 "accept *:706,"
506 "accept *:749,"
507 "accept *:873,"
508 "accept *:902-904,"
509 "accept *:981,"
510 "accept *:989-995,"
511 "accept *:1194,"
512 "accept *:1220,"
513 "accept *:1293,"
514 "accept *:1500,"
515 "accept *:1533,"
516 "accept *:1677,"
517 "accept *:1723,"
518 "accept *:1755,"
519 "accept *:1863,"
520 "accept *:2082,"
521 "accept *:2083,"
522 "accept *:2086-2087,"
523 "accept *:2095-2096,"
524 "accept *:2102-2104,"
525 "accept *:3128,"
526 "accept *:3389,"
527 "accept *:3690,"
528 "accept *:4321,"
529 "accept *:4643,"
530 "accept *:5050,"
531 "accept *:5190,"
532 "accept *:5222-5223,"
533 "accept *:5228,"
534 "accept *:5900,"
535 "accept *:6660-6669,"
536 "accept *:6679,"
537 "accept *:6697,"
538 "accept *:8000,"
539 "accept *:8008,"
540 "accept *:8074,"
541 "accept *:8080,"
542 "accept *:8087-8088,"
543 "accept *:8332-8333,"
544 "accept *:8443,"
545 "accept *:8888,"
546 "accept *:9418,"
547 "accept *:9999,"
548 "accept *:10000,"
549 "accept *:11371,"
550 "accept *:12350,"
551 "accept *:19294,"
552 "accept *:19638,"
553 "accept *:23456,"
554 "accept *:33033,"
555 "accept *:64738,"
556 "reject *:*",
557 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
558 "443,464,531,543-544,554,563,636,706,749,873,"
559 "902-904,981,989-995,1194,1220,1293,1500,1533,"
560 "1677,1723,1755,1863,2082-2083,2086-2087,"
561 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
562 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
563 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
564 "8443,8888,9418,9999-10000,11371,12350,19294,"
565 "19638,23456,33033,64738");
566 /* short policy with configured addresses */
567 test_policy_summary_helper("reject 149.56.1.1:*,"
568 "reject [2607:5300:1:1::1:0]:*,"
569 "accept *:80,"
570 "accept *:443,"
571 "reject *:*",
572 "accept 80,443");
573 /* short policy with configured and local interface addresses */
574 test_policy_summary_helper("reject 149.56.1.0:*,"
575 "reject 149.56.1.1:*,"
576 "reject 149.56.1.2:*,"
577 "reject 149.56.1.3:*,"
578 "reject 149.56.1.4:*,"
579 "reject 149.56.1.5:*,"
580 "reject 149.56.1.6:*,"
581 "reject 149.56.1.7:*,"
582 "reject [2607:5300:1:1::1:0]:*,"
583 "reject [2607:5300:1:1::1:1]:*,"
584 "reject [2607:5300:1:1::1:2]:*,"
585 "reject [2607:5300:1:1::1:3]:*,"
586 "reject [2607:5300:1:1::2:0]:*,"
587 "reject [2607:5300:1:1::2:1]:*,"
588 "reject [2607:5300:1:1::2:2]:*,"
589 "reject [2607:5300:1:1::2:3]:*,"
590 "accept *:80,"
591 "accept *:443,"
592 "reject *:*",
593 "accept 80,443");
594 /* short policy with configured netblocks */
595 test_policy_summary_helper("reject 149.56.0.0/16,"
596 "reject6 2607:5300::/32,"
597 "accept *:80,"
598 "accept *:443,"
599 "reject *:*",
600 "accept 80,443");
601 /* short policy with large netblocks that count as a rejection */
602 test_policy_summary_helper("reject 149.0.0.0/6,"
603 "reject6 2600::/6,"
604 "accept *:80,"
605 "accept *:443,"
606 "reject *:*",
607 "reject 1-65535");
608
609 /* longest possible policy
610 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
611 * Going all the way to 65535 is incredibly slow, so we just go slightly
612 * more than the expected length */
613 test_policy_summary_helper("accept *:1,"
614 "accept *:3,"
615 "accept *:5,"
616 "accept *:7,"
617 "accept *:9,"
618 "accept *:11,"
619 "accept *:13,"
620 "accept *:15,"
621 "accept *:17,"
622 "accept *:19,"
623 "accept *:21,"
624 "accept *:23,"
625 "accept *:25,"
626 "accept *:27,"
627 "accept *:29,"
628 "accept *:31,"
629 "accept *:33,"
630 "accept *:35,"
631 "accept *:37,"
632 "accept *:39,"
633 "accept *:41,"
634 "accept *:43,"
635 "accept *:45,"
636 "accept *:47,"
637 "accept *:49,"
638 "accept *:51,"
639 "accept *:53,"
640 "accept *:55,"
641 "accept *:57,"
642 "accept *:59,"
643 "accept *:61,"
644 "accept *:63,"
645 "accept *:65,"
646 "accept *:67,"
647 "accept *:69,"
648 "accept *:71,"
649 "accept *:73,"
650 "accept *:75,"
651 "accept *:77,"
652 "accept *:79,"
653 "accept *:81,"
654 "accept *:83,"
655 "accept *:85,"
656 "accept *:87,"
657 "accept *:89,"
658 "accept *:91,"
659 "accept *:93,"
660 "accept *:95,"
661 "accept *:97,"
662 "accept *:99,"
663 "accept *:101,"
664 "accept *:103,"
665 "accept *:105,"
666 "accept *:107,"
667 "accept *:109,"
668 "accept *:111,"
669 "accept *:113,"
670 "accept *:115,"
671 "accept *:117,"
672 "accept *:119,"
673 "accept *:121,"
674 "accept *:123,"
675 "accept *:125,"
676 "accept *:127,"
677 "accept *:129,"
678 "accept *:131,"
679 "accept *:133,"
680 "accept *:135,"
681 "accept *:137,"
682 "accept *:139,"
683 "accept *:141,"
684 "accept *:143,"
685 "accept *:145,"
686 "accept *:147,"
687 "accept *:149,"
688 "accept *:151,"
689 "accept *:153,"
690 "accept *:155,"
691 "accept *:157,"
692 "accept *:159,"
693 "accept *:161,"
694 "accept *:163,"
695 "accept *:165,"
696 "accept *:167,"
697 "accept *:169,"
698 "accept *:171,"
699 "accept *:173,"
700 "accept *:175,"
701 "accept *:177,"
702 "accept *:179,"
703 "accept *:181,"
704 "accept *:183,"
705 "accept *:185,"
706 "accept *:187,"
707 "accept *:189,"
708 "accept *:191,"
709 "accept *:193,"
710 "accept *:195,"
711 "accept *:197,"
712 "accept *:199,"
713 "accept *:201,"
714 "accept *:203,"
715 "accept *:205,"
716 "accept *:207,"
717 "accept *:209,"
718 "accept *:211,"
719 "accept *:213,"
720 "accept *:215,"
721 "accept *:217,"
722 "accept *:219,"
723 "accept *:221,"
724 "accept *:223,"
725 "accept *:225,"
726 "accept *:227,"
727 "accept *:229,"
728 "accept *:231,"
729 "accept *:233,"
730 "accept *:235,"
731 "accept *:237,"
732 "accept *:239,"
733 "accept *:241,"
734 "accept *:243,"
735 "accept *:245,"
736 "accept *:247,"
737 "accept *:249,"
738 "accept *:251,"
739 "accept *:253,"
740 "accept *:255,"
741 "accept *:257,"
742 "accept *:259,"
743 "accept *:261,"
744 "accept *:263,"
745 "accept *:265,"
746 "accept *:267,"
747 "accept *:269,"
748 "accept *:271,"
749 "accept *:273,"
750 "accept *:275,"
751 "accept *:277,"
752 "accept *:279,"
753 "accept *:281,"
754 "accept *:283,"
755 "accept *:285,"
756 "accept *:287,"
757 "accept *:289,"
758 "accept *:291,"
759 "accept *:293,"
760 "accept *:295,"
761 "accept *:297,"
762 "accept *:299,"
763 "accept *:301,"
764 "accept *:303,"
765 "accept *:305,"
766 "accept *:307,"
767 "accept *:309,"
768 "accept *:311,"
769 "accept *:313,"
770 "accept *:315,"
771 "accept *:317,"
772 "accept *:319,"
773 "accept *:321,"
774 "accept *:323,"
775 "accept *:325,"
776 "accept *:327,"
777 "accept *:329,"
778 "accept *:331,"
779 "accept *:333,"
780 "accept *:335,"
781 "accept *:337,"
782 "accept *:339,"
783 "accept *:341,"
784 "accept *:343,"
785 "accept *:345,"
786 "accept *:347,"
787 "accept *:349,"
788 "accept *:351,"
789 "accept *:353,"
790 "accept *:355,"
791 "accept *:357,"
792 "accept *:359,"
793 "accept *:361,"
794 "accept *:363,"
795 "accept *:365,"
796 "accept *:367,"
797 "accept *:369,"
798 "accept *:371,"
799 "accept *:373,"
800 "accept *:375,"
801 "accept *:377,"
802 "accept *:379,"
803 "accept *:381,"
804 "accept *:383,"
805 "accept *:385,"
806 "accept *:387,"
807 "accept *:389,"
808 "accept *:391,"
809 "accept *:393,"
810 "accept *:395,"
811 "accept *:397,"
812 "accept *:399,"
813 "accept *:401,"
814 "accept *:403,"
815 "accept *:405,"
816 "accept *:407,"
817 "accept *:409,"
818 "accept *:411,"
819 "accept *:413,"
820 "accept *:415,"
821 "accept *:417,"
822 "accept *:419,"
823 "accept *:421,"
824 "accept *:423,"
825 "accept *:425,"
826 "accept *:427,"
827 "accept *:429,"
828 "accept *:431,"
829 "accept *:433,"
830 "accept *:435,"
831 "accept *:437,"
832 "accept *:439,"
833 "accept *:441,"
834 "accept *:443,"
835 "accept *:445,"
836 "accept *:447,"
837 "accept *:449,"
838 "accept *:451,"
839 "accept *:453,"
840 "accept *:455,"
841 "accept *:457,"
842 "accept *:459,"
843 "accept *:461,"
844 "accept *:463,"
845 "accept *:465,"
846 "accept *:467,"
847 "accept *:469,"
848 "accept *:471,"
849 "accept *:473,"
850 "accept *:475,"
851 "accept *:477,"
852 "accept *:479,"
853 "accept *:481,"
854 "accept *:483,"
855 "accept *:485,"
856 "accept *:487,"
857 "accept *:489,"
858 "accept *:491,"
859 "accept *:493,"
860 "accept *:495,"
861 "accept *:497,"
862 "accept *:499,"
863 "accept *:501,"
864 "accept *:503,"
865 "accept *:505,"
866 "accept *:507,"
867 "accept *:509,"
868 "accept *:511,"
869 "accept *:513,"
870 "accept *:515,"
871 "accept *:517,"
872 "accept *:519,"
873 "accept *:521,"
874 "accept *:523,"
875 "accept *:525,"
876 "accept *:527,"
877 "accept *:529,"
878 "reject *:*",
879 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
880 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
881 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
882 "95,97,99,101,103,105,107,109,111,113,115,117,"
883 "119,121,123,125,127,129,131,133,135,137,139,141,"
884 "143,145,147,149,151,153,155,157,159,161,163,165,"
885 "167,169,171,173,175,177,179,181,183,185,187,189,"
886 "191,193,195,197,199,201,203,205,207,209,211,213,"
887 "215,217,219,221,223,225,227,229,231,233,235,237,"
888 "239,241,243,245,247,249,251,253,255,257,259,261,"
889 "263,265,267,269,271,273,275,277,279,281,283,285,"
890 "287,289,291,293,295,297,299,301,303,305,307,309,"
891 "311,313,315,317,319,321,323,325,327,329,331,333,"
892 "335,337,339,341,343,345,347,349,351,353,355,357,"
893 "359,361,363,365,367,369,371,373,375,377,379,381,"
894 "383,385,387,389,391,393,395,397,399,401,403,405,"
895 "407,409,411,413,415,417,419,421,423,425,427,429,"
896 "431,433,435,437,439,441,443,445,447,449,451,453,"
897 "455,457,459,461,463,465,467,469,471,473,475,477,"
898 "479,481,483,485,487,489,491,493,495,497,499,501,"
899 "503,505,507,509,511,513,515,517,519,521,523");
900
901 /* Short policies with unrecognized formats should get accepted. */
902 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
903 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
904 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
905 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
906 /* Short policies with nil entries are accepted too. */
907 test_short_policy_parse("accept 1,,3", "accept 1,3");
908 test_short_policy_parse("accept 100-200,,", "accept 100-200");
909 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
910
911 /* Try parsing various broken short policies */
912 #define TT_BAD_SHORT_POLICY(s) \
913 do { \
914 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
915 } while (0)
916 TT_BAD_SHORT_POLICY("accept 200-199");
917 TT_BAD_SHORT_POLICY("");
918 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
919 TT_BAD_SHORT_POLICY("reject ");
920 TT_BAD_SHORT_POLICY("reject");
921 TT_BAD_SHORT_POLICY("rej");
922 TT_BAD_SHORT_POLICY("accept 2,3,100000");
923 TT_BAD_SHORT_POLICY("accept 2,3x,4");
924 TT_BAD_SHORT_POLICY("accept 2,3x,4");
925 TT_BAD_SHORT_POLICY("accept 2-");
926 TT_BAD_SHORT_POLICY("accept 2-x");
927 TT_BAD_SHORT_POLICY("accept 1-,3");
928 TT_BAD_SHORT_POLICY("accept 1-,3");
929
930 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
931 p = router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
932 &malformed_list);
933 tt_assert(p == NULL);
934 tt_assert(!malformed_list);
935
936 p = router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
937 &malformed_list);
938 tt_assert(p == NULL);
939 tt_assert(!malformed_list);
940
941 p = router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
942 &malformed_list);
943 tt_assert(p == NULL);
944 tt_assert(!malformed_list);
945
946 /* Make sure malformed policies are detected as such. */
947 p = router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
948 &malformed_list);
949 tt_assert(p == NULL);
950 tt_assert(malformed_list);
951
952 p = router_parse_addr_policy_item_from_string("accept6 **:*", -1,
953 &malformed_list);
954 tt_assert(p == NULL);
955 tt_assert(malformed_list);
956
957 p = router_parse_addr_policy_item_from_string("accept */15:*", -1,
958 &malformed_list);
959 tt_assert(p == NULL);
960 tt_assert(malformed_list);
961
962 p = router_parse_addr_policy_item_from_string("reject6 */:*", -1,
963 &malformed_list);
964 tt_assert(p == NULL);
965 tt_assert(malformed_list);
966
967 p = router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
968 &malformed_list);
969 tt_assert(p == NULL);
970 tt_assert(malformed_list);
971
972 p = router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
973 &malformed_list);
974 tt_assert(p == NULL);
975 tt_assert(malformed_list);
976
977 p = router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
978 &malformed_list);
979 tt_assert(p == NULL);
980 tt_assert(malformed_list);
981
982 p = router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
983 &malformed_list);
984 tt_assert(p == NULL);
985 tt_assert(malformed_list);
986
987 p = router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
988 &malformed_list);
989 tt_assert(p == NULL);
990 tt_assert(malformed_list);
991
992 /* Test a too-long policy. */
993 {
994 char *policy_strng = NULL;
995 smartlist_t *chunks = smartlist_new();
996 smartlist_add(chunks, tor_strdup("accept "));
997 for (i=1; i<10000; ++i)
998 smartlist_add_asprintf(chunks, "%d,", i);
999 smartlist_add(chunks, tor_strdup("20000"));
1000 policy_strng = smartlist_join_strings(chunks, "", 0, NULL);
1001 SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch));
1002 smartlist_free(chunks);
1003 short_parsed = parse_short_policy(policy_strng);/* shouldn't be accepted */
1004 tor_free(policy_strng);
1005 tt_ptr_op(NULL, OP_EQ, short_parsed);
1006 }
1007
1008 /* truncation ports */
1009 sm = smartlist_new();
1010 for (i=1; i<2000; i+=2) {
1011 char buf[POLICY_BUF_LEN];
1012 tor_snprintf(buf, sizeof(buf), "reject *:%d", i);
1013 smartlist_add(sm, tor_strdup(buf));
1014 }
1015 smartlist_add(sm, tor_strdup("accept *:*"));
1016 policy_str = smartlist_join_strings(sm, ",", 0, NULL);
1017 test_policy_summary_helper( policy_str,
1018 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1019 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1020 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1021 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1022 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1023 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1024 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1025 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1026 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1027 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1028 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1029 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1030 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1031 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1032
1033 done:
1034 addr_policy_list_free(policy);
1035 addr_policy_list_free(policy2);
1036 addr_policy_list_free(policy3);
1037 addr_policy_list_free(policy4);
1038 addr_policy_list_free(policy5);
1039 addr_policy_list_free(policy6);
1040 addr_policy_list_free(policy7);
1041 addr_policy_list_free(policy8);
1042 addr_policy_list_free(policy9);
1043 addr_policy_list_free(policy10);
1044 addr_policy_list_free(policy11);
1045 addr_policy_list_free(policy12);
1046 tor_free(policy_str);
1047 if (sm) {
1048 SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
1049 smartlist_free(sm);
1050 }
1051 short_policy_free(short_parsed);
1052 }
1053
1054 /** Helper: Check that policy_list contains address */
1055 static int
1056 test_policy_has_address_helper(const smartlist_t *policy_list,
1057 const tor_addr_t *addr)
1058 {
1059 int found = 0;
1060
1061 tt_assert(policy_list);
1062 tt_assert(addr);
1063
1064 SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t*, p) {
1065 if (tor_addr_eq(&p->addr, addr)) {
1066 found = 1;
1067 }
1068 } SMARTLIST_FOREACH_END(p);
1069
1070 return found;
1071
1072 done:
1073 return 0;
1074 }
1075
1076 #define TEST_IPV4_ADDR (0x01020304)
1077 #define TEST_IPV6_ADDR ("2002::abcd")
1078
1079 /** Run unit tests for rejecting the configured addresses on this exit relay
1080 * using policies_parse_exit_policy_reject_private */
1081 static void
1082 test_policies_reject_exit_address(void *arg)
1083 {
1084 smartlist_t *policy = NULL;
1085 tor_addr_t ipv4_addr, ipv6_addr;
1086 smartlist_t *ipv4_list, *ipv6_list, *both_list, *dupl_list;
1087 (void)arg;
1088
1089 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1090 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1091
1092 ipv4_list = smartlist_new();
1093 ipv6_list = smartlist_new();
1094 both_list = smartlist_new();
1095 dupl_list = smartlist_new();
1096
1097 smartlist_add(ipv4_list, &ipv4_addr);
1098 smartlist_add(both_list, &ipv4_addr);
1099 smartlist_add(dupl_list, &ipv4_addr);
1100 smartlist_add(dupl_list, &ipv4_addr);
1101 smartlist_add(dupl_list, &ipv4_addr);
1102
1103 smartlist_add(ipv6_list, &ipv6_addr);
1104 smartlist_add(both_list, &ipv6_addr);
1105 smartlist_add(dupl_list, &ipv6_addr);
1106 smartlist_add(dupl_list, &ipv6_addr);
1107
1108 /* IPv4-Only Exits */
1109
1110 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1111 policies_parse_exit_policy_reject_private(&policy, 0, ipv4_list, 0, 0);
1112 tt_assert(policy);
1113 tt_assert(smartlist_len(policy) == 1);
1114 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1115 addr_policy_list_free(policy);
1116 policy = NULL;
1117
1118 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1119 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1120 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1121 * need to do anything) */
1122 policies_parse_exit_policy_reject_private(&policy, 0, ipv6_list, 0, 0);
1123 tt_assert(policy == NULL);
1124
1125 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1126 policies_parse_exit_policy_reject_private(&policy, 0, both_list, 0, 0);
1127 tt_assert(policy);
1128 tt_assert(smartlist_len(policy) == 1);
1129 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1130 addr_policy_list_free(policy);
1131 policy = NULL;
1132
1133 /* Test that lists with duplicate entries produce the same results */
1134 policies_parse_exit_policy_reject_private(&policy, 0, dupl_list, 0, 0);
1135 tt_assert(policy);
1136 tt_assert(smartlist_len(policy) == 1);
1137 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1138 addr_policy_list_free(policy);
1139 policy = NULL;
1140
1141 /* IPv4/IPv6 Exits */
1142
1143 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1144 policies_parse_exit_policy_reject_private(&policy, 1, ipv4_list, 0, 0);
1145 tt_assert(policy);
1146 tt_assert(smartlist_len(policy) == 1);
1147 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1148 addr_policy_list_free(policy);
1149 policy = NULL;
1150
1151 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1152 policies_parse_exit_policy_reject_private(&policy, 1, ipv6_list, 0, 0);
1153 tt_assert(policy);
1154 tt_assert(smartlist_len(policy) == 1);
1155 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1156 addr_policy_list_free(policy);
1157 policy = NULL;
1158
1159 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1160 policies_parse_exit_policy_reject_private(&policy, 1, both_list, 0, 0);
1161 tt_assert(policy);
1162 tt_assert(smartlist_len(policy) == 2);
1163 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1164 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1165 addr_policy_list_free(policy);
1166 policy = NULL;
1167
1168 /* Test that lists with duplicate entries produce the same results */
1169 policies_parse_exit_policy_reject_private(&policy, 1, dupl_list, 0, 0);
1170 tt_assert(policy);
1171 tt_assert(smartlist_len(policy) == 2);
1172 tt_assert(test_policy_has_address_helper(policy, &ipv4_addr));
1173 tt_assert(test_policy_has_address_helper(policy, &ipv6_addr));
1174 addr_policy_list_free(policy);
1175 policy = NULL;
1176
1177 done:
1178 addr_policy_list_free(policy);
1179 smartlist_free(ipv4_list);
1180 smartlist_free(ipv6_list);
1181 smartlist_free(both_list);
1182 smartlist_free(dupl_list);
1183 }
1184
1185 static smartlist_t *test_configured_ports = NULL;
1186
1187 /** Returns test_configured_ports */
1188 static const smartlist_t *
1189 mock_get_configured_ports(void)
1190 {
1191 return test_configured_ports;
1192 }
1193
1194 /** Run unit tests for rejecting publicly routable configured port addresses
1195 * on this exit relay using policies_parse_exit_policy_reject_private */
1196 static void
1197 test_policies_reject_port_address(void *arg)
1198 {
1199 smartlist_t *policy = NULL;
1200 port_cfg_t *ipv4_port = NULL;
1201 port_cfg_t *ipv6_port = NULL;
1202 (void)arg;
1203
1204 test_configured_ports = smartlist_new();
1205
1206 ipv4_port = port_cfg_new(0);
1207 tor_addr_from_ipv4h(&ipv4_port->addr, TEST_IPV4_ADDR);
1208 smartlist_add(test_configured_ports, ipv4_port);
1209
1210 ipv6_port = port_cfg_new(0);
1211 tor_addr_parse(&ipv6_port->addr, TEST_IPV6_ADDR);
1212 smartlist_add(test_configured_ports, ipv6_port);
1213
1214 MOCK(get_configured_ports, mock_get_configured_ports);
1215
1216 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1217 * is NOT rejected (all IPv6 addresses are rejected by
1218 * policies_parse_exit_policy_internal on IPv4-only exits, so
1219 * policies_parse_exit_policy_reject_private doesn't need to do anything
1220 * with IPv6 addresses on IPv4-only exits) */
1221 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 1);
1222 tt_assert(policy);
1223 tt_assert(smartlist_len(policy) == 1);
1224 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1225 addr_policy_list_free(policy);
1226 policy = NULL;
1227
1228 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1229 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 0, 1);
1230 tt_assert(policy);
1231 tt_assert(smartlist_len(policy) == 2);
1232 tt_assert(test_policy_has_address_helper(policy, &ipv4_port->addr));
1233 tt_assert(test_policy_has_address_helper(policy, &ipv6_port->addr));
1234 addr_policy_list_free(policy);
1235 policy = NULL;
1236
1237 done:
1238 addr_policy_list_free(policy);
1239 if (test_configured_ports) {
1240 SMARTLIST_FOREACH(test_configured_ports,
1241 port_cfg_t *, p, port_cfg_free(p));
1242 smartlist_free(test_configured_ports);
1243 test_configured_ports = NULL;
1244 }
1245 UNMOCK(get_configured_ports);
1246 }
1247
1248 static smartlist_t *mock_ipv4_addrs = NULL;
1249 static smartlist_t *mock_ipv6_addrs = NULL;
1250
1251 /* mock get_interface_address6_list, returning a deep copy of the template
1252 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1253 static smartlist_t *
1254 mock_get_interface_address6_list(int severity,
1255 sa_family_t family,
1256 int include_internal)
1257 {
1258 (void)severity;
1259 (void)include_internal;
1260 smartlist_t *clone_list = smartlist_new();
1261 smartlist_t *template_list = NULL;
1262
1263 if (family == AF_INET) {
1264 template_list = mock_ipv4_addrs;
1265 } else if (family == AF_INET6) {
1266 template_list = mock_ipv6_addrs;
1267 } else {
1268 return NULL;
1269 }
1270
1271 tt_assert(template_list);
1272
1273 SMARTLIST_FOREACH_BEGIN(template_list, tor_addr_t *, src_addr) {
1274 tor_addr_t *dest_addr = tor_malloc(sizeof(tor_addr_t));
1275 memset(dest_addr, 0, sizeof(*dest_addr));
1276 tor_addr_copy_tight(dest_addr, src_addr);
1277 smartlist_add(clone_list, dest_addr);
1278 } SMARTLIST_FOREACH_END(src_addr);
1279
1280 return clone_list;
1281
1282 done:
1283 free_interface_address6_list(clone_list);
1284 return NULL;
1285 }
1286
1287 /** Run unit tests for rejecting publicly routable interface addresses on this
1288 * exit relay using policies_parse_exit_policy_reject_private */
1289 static void
1290 test_policies_reject_interface_address(void *arg)
1291 {
1292 smartlist_t *policy = NULL;
1293 smartlist_t *public_ipv4_addrs =
1294 get_interface_address6_list(LOG_INFO, AF_INET, 0);
1295 smartlist_t *public_ipv6_addrs =
1296 get_interface_address6_list(LOG_INFO, AF_INET6, 0);
1297 tor_addr_t ipv4_addr, ipv6_addr;
1298 (void)arg;
1299
1300 /* test that no addresses are rejected when none are supplied/requested */
1301 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1302 tt_assert(policy == NULL);
1303
1304 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1305 * (and allow for duplicates)
1306 */
1307 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1308 if (policy) {
1309 tt_assert(smartlist_len(policy) <= smartlist_len(public_ipv4_addrs));
1310 addr_policy_list_free(policy);
1311 policy = NULL;
1312 }
1313
1314 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1315 * exit (and allow for duplicates) */
1316 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1317 if (policy) {
1318 tt_assert(smartlist_len(policy) <= (smartlist_len(public_ipv4_addrs)
1319 + smartlist_len(public_ipv6_addrs)));
1320 addr_policy_list_free(policy);
1321 policy = NULL;
1322 }
1323
1324 /* Now do it all again, but mocked */
1325 tor_addr_from_ipv4h(&ipv4_addr, TEST_IPV4_ADDR);
1326 mock_ipv4_addrs = smartlist_new();
1327 smartlist_add(mock_ipv4_addrs, (void *)&ipv4_addr);
1328
1329 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR);
1330 mock_ipv6_addrs = smartlist_new();
1331 smartlist_add(mock_ipv6_addrs, (void *)&ipv6_addr);
1332
1333 MOCK(get_interface_address6_list, mock_get_interface_address6_list);
1334
1335 /* test that no addresses are rejected when none are supplied/requested */
1336 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 0, 0);
1337 tt_assert(policy == NULL);
1338
1339 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1340 */
1341 policies_parse_exit_policy_reject_private(&policy, 0, NULL, 1, 0);
1342 tt_assert(policy);
1343 tt_assert(smartlist_len(policy) == smartlist_len(mock_ipv4_addrs));
1344 addr_policy_list_free(policy);
1345 policy = NULL;
1346
1347 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1348 * exit */
1349 policies_parse_exit_policy_reject_private(&policy, 1, NULL, 1, 0);
1350 tt_assert(policy);
1351 tt_assert(smartlist_len(policy) == (smartlist_len(mock_ipv4_addrs)
1352 + smartlist_len(mock_ipv6_addrs)));
1353 addr_policy_list_free(policy);
1354 policy = NULL;
1355
1356 done:
1357 addr_policy_list_free(policy);
1358 free_interface_address6_list(public_ipv4_addrs);
1359 free_interface_address6_list(public_ipv6_addrs);
1360
1361 UNMOCK(get_interface_address6_list);
1362 /* we don't use free_interface_address6_list on these lists because their
1363 * address pointers are stack-based */
1364 smartlist_free(mock_ipv4_addrs);
1365 smartlist_free(mock_ipv6_addrs);
1366 }
1367
1368 #undef TEST_IPV4_ADDR
1369 #undef TEST_IPV6_ADDR
1370
1371 static void
1372 test_dump_exit_policy_to_string(void *arg)
1373 {
1374 char *ep;
1375 addr_policy_t *policy_entry;
1376 int malformed_list = -1;
1377
1378 routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t));
1379
1380 (void)arg;
1381
1382 ri->policy_is_reject_star = 1;
1383 ri->exit_policy = NULL; // expecting "reject *:*"
1384 ep = router_dump_exit_policy_to_string(ri,1,1);
1385
1386 tt_str_op("reject *:*",OP_EQ, ep);
1387
1388 tor_free(ep);
1389
1390 ri->exit_policy = smartlist_new();
1391 ri->policy_is_reject_star = 0;
1392
1393 policy_entry = router_parse_addr_policy_item_from_string("accept *:*", -1,
1394 &malformed_list);
1395
1396 smartlist_add(ri->exit_policy,policy_entry);
1397
1398 ep = router_dump_exit_policy_to_string(ri,1,1);
1399
1400 tt_str_op("accept *:*",OP_EQ, ep);
1401
1402 tor_free(ep);
1403
1404 policy_entry = router_parse_addr_policy_item_from_string("reject *:25", -1,
1405 &malformed_list);
1406
1407 smartlist_add(ri->exit_policy,policy_entry);
1408
1409 ep = router_dump_exit_policy_to_string(ri,1,1);
1410
1411 tt_str_op("accept *:*\nreject *:25",OP_EQ, ep);
1412
1413 tor_free(ep);
1414
1415 policy_entry =
1416 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1417 &malformed_list);
1418
1419 smartlist_add(ri->exit_policy,policy_entry);
1420
1421 ep = router_dump_exit_policy_to_string(ri,1,1);
1422
1423 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ, ep);
1424 tor_free(ep);
1425
1426 policy_entry =
1427 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1428 &malformed_list);
1429
1430 smartlist_add(ri->exit_policy,policy_entry);
1431
1432 ep = router_dump_exit_policy_to_string(ri,1,1);
1433
1434 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1435 "reject6 [fc00::]/7:*",OP_EQ, ep);
1436 tor_free(ep);
1437
1438 policy_entry =
1439 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1440 &malformed_list);
1441
1442 smartlist_add(ri->exit_policy,policy_entry);
1443
1444 ep = router_dump_exit_policy_to_string(ri,1,1);
1445
1446 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1447 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ, ep);
1448
1449 done:
1450
1451 if (ri->exit_policy) {
1452 SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *,
1453 entry, addr_policy_free(entry));
1454 smartlist_free(ri->exit_policy);
1455 }
1456 tor_free(ri);
1457 tor_free(ep);
1458 }
1459
1460 static routerinfo_t *mock_desc_routerinfo = NULL;
1461 static const routerinfo_t *
1462 mock_router_get_my_routerinfo(void)
1463 {
1464 return mock_desc_routerinfo;
1465 }
1466
1467 #define DEFAULT_POLICY_STRING "reject *:*"
1468 #define TEST_IPV4_ADDR (0x02040608)
1469 #define TEST_IPV6_ADDR ("2003::ef01")
1470
1471 static or_options_t mock_options;
1472
1473 static const or_options_t *
1474 mock_get_options(void)
1475 {
1476 return &mock_options;
1477 }
1478
1479 /** Run unit tests for generating summary lines of exit policies */
1480 static void
1481 test_policies_getinfo_helper_policies(void *arg)
1482 {
1483 (void)arg;
1484 int rv = 0;
1485 size_t ipv4_len = 0, ipv6_len = 0;
1486 char *answer = NULL;
1487 const char *errmsg = NULL;
1488 routerinfo_t mock_my_routerinfo;
1489
1490 memset(&mock_my_routerinfo, 0, sizeof(mock_my_routerinfo));
1491
1492 rv = getinfo_helper_policies(NULL, "exit-policy/default", &answer, &errmsg);
1493 tt_assert(rv == 0);
1494 tt_assert(answer != NULL);
1495 tt_assert(strlen(answer) > 0);
1496 tor_free(answer);
1497
1498 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/default",
1499 &answer, &errmsg);
1500 tt_assert(rv == 0);
1501 tt_assert(answer != NULL);
1502 tt_assert(strlen(answer) > 0);
1503 tor_free(answer);
1504
1505 memset(&mock_my_routerinfo, 0, sizeof(routerinfo_t));
1506 MOCK(router_get_my_routerinfo, mock_router_get_my_routerinfo);
1507 mock_my_routerinfo.exit_policy = smartlist_new();
1508 mock_desc_routerinfo = &mock_my_routerinfo;
1509
1510 memset(&mock_options, 0, sizeof(or_options_t));
1511 MOCK(get_options, mock_get_options);
1512
1513 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1514 &answer, &errmsg);
1515 tt_assert(rv == 0);
1516 tt_assert(answer != NULL);
1517 tt_assert(strlen(answer) == 0);
1518 tor_free(answer);
1519
1520 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1521 &errmsg);
1522 tt_assert(rv == 0);
1523 tt_assert(answer != NULL);
1524 ipv4_len = strlen(answer);
1525 tt_assert(ipv4_len == 0 || ipv4_len == strlen(DEFAULT_POLICY_STRING));
1526 tt_assert(ipv4_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1527 tor_free(answer);
1528
1529 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1530 &errmsg);
1531 tt_assert(rv == 0);
1532 tt_assert(answer != NULL);
1533 ipv6_len = strlen(answer);
1534 tt_assert(ipv6_len == 0 || ipv6_len == strlen(DEFAULT_POLICY_STRING));
1535 tt_assert(ipv6_len == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1536 tor_free(answer);
1537
1538 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1539 &errmsg);
1540 tt_assert(rv == 0);
1541 tt_assert(answer != NULL);
1542 /* It's either empty or it's the default */
1543 tt_assert(strlen(answer) == 0 || !strcasecmp(answer, DEFAULT_POLICY_STRING));
1544 tor_free(answer);
1545
1546 mock_my_routerinfo.addr = TEST_IPV4_ADDR;
1547 tor_addr_parse(&mock_my_routerinfo.ipv6_addr, TEST_IPV6_ADDR);
1548 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "accept *4:*");
1549 append_exit_policy_string(&mock_my_routerinfo.exit_policy, "reject *6:*");
1550
1551 mock_options.IPv6Exit = 1;
1552 tor_addr_from_ipv4h(&mock_options.OutboundBindAddressIPv4_, TEST_IPV4_ADDR);
1553 tor_addr_parse(&mock_options.OutboundBindAddressIPv6_, TEST_IPV6_ADDR);
1554
1555 mock_options.ExitPolicyRejectPrivate = 1;
1556 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1557
1558 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1559 &answer, &errmsg);
1560 tt_assert(rv == 0);
1561 tt_assert(answer != NULL);
1562 tt_assert(strlen(answer) > 0);
1563 tor_free(answer);
1564
1565 mock_options.ExitPolicyRejectPrivate = 1;
1566 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1567
1568 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1569 &answer, &errmsg);
1570 tt_assert(rv == 0);
1571 tt_assert(answer != NULL);
1572 tt_assert(strlen(answer) > 0);
1573 tor_free(answer);
1574
1575 mock_options.ExitPolicyRejectPrivate = 0;
1576 mock_options.ExitPolicyRejectLocalInterfaces = 1;
1577
1578 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1579 &answer, &errmsg);
1580 tt_assert(rv == 0);
1581 tt_assert(answer != NULL);
1582 tt_assert(strlen(answer) > 0);
1583 tor_free(answer);
1584
1585 mock_options.ExitPolicyRejectPrivate = 0;
1586 mock_options.ExitPolicyRejectLocalInterfaces = 0;
1587
1588 rv = getinfo_helper_policies(NULL, "exit-policy/reject-private/relay",
1589 &answer, &errmsg);
1590 tt_assert(rv == 0);
1591 tt_assert(answer != NULL);
1592 tt_assert(strlen(answer) == 0);
1593 tor_free(answer);
1594
1595 rv = getinfo_helper_policies(NULL, "exit-policy/ipv4", &answer,
1596 &errmsg);
1597 tt_assert(rv == 0);
1598 tt_assert(answer != NULL);
1599 ipv4_len = strlen(answer);
1600 tt_assert(ipv4_len > 0);
1601 tor_free(answer);
1602
1603 rv = getinfo_helper_policies(NULL, "exit-policy/ipv6", &answer,
1604 &errmsg);
1605 tt_assert(rv == 0);
1606 tt_assert(answer != NULL);
1607 ipv6_len = strlen(answer);
1608 tt_assert(ipv6_len > 0);
1609 tor_free(answer);
1610
1611 rv = getinfo_helper_policies(NULL, "exit-policy/full", &answer,
1612 &errmsg);
1613 tt_assert(rv == 0);
1614 tt_assert(answer != NULL);
1615 tt_assert(strlen(answer) > 0);
1616 tt_assert(strlen(answer) == ipv4_len + ipv6_len + 1);
1617 tor_free(answer);
1618
1619 done:
1620 tor_free(answer);
1621 UNMOCK(get_options);
1622 UNMOCK(router_get_my_routerinfo);
1623 addr_policy_list_free(mock_my_routerinfo.exit_policy);
1624 }
1625
1626 #undef DEFAULT_POLICY_STRING
1627 #undef TEST_IPV4_ADDR
1628 #undef TEST_IPV6_ADDR
1629
1630 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1631 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1632 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1633 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1634
1635 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1636 #define OTHER_IPV6_ADDR_STR "[afff::]"
1637
1638 /** Run unit tests for fascist_firewall_allows_address */
1639 static void
1640 test_policies_fascist_firewall_allows_address(void *arg)
1641 {
1642 (void)arg;
1643 tor_addr_t ipv4_addr, ipv6_addr, r_ipv4_addr, r_ipv6_addr;
1644 tor_addr_t n_ipv4_addr, n_ipv6_addr;
1645 const uint16_t port = 1234;
1646 smartlist_t *policy = NULL;
1647 smartlist_t *e_policy = NULL;
1648 addr_policy_t *item = NULL;
1649 int malformed_list = 0;
1650
1651 /* Setup the options and the items in the policies */
1652 memset(&mock_options, 0, sizeof(or_options_t));
1653 MOCK(get_options, mock_get_options);
1654
1655 policy = smartlist_new();
1656 item = router_parse_addr_policy_item_from_string("accept "
1657 TEST_IPV4_ADDR_STR ":*",
1658 ADDR_POLICY_ACCEPT,
1659 &malformed_list);
1660 tt_assert(item);
1661 tt_assert(!malformed_list);
1662 smartlist_add(policy, item);
1663 item = router_parse_addr_policy_item_from_string("accept "
1664 TEST_IPV6_ADDR_STR,
1665 ADDR_POLICY_ACCEPT,
1666 &malformed_list);
1667 tt_assert(item);
1668 tt_assert(!malformed_list);
1669 smartlist_add(policy, item);
1670 /* Normally, policy_expand_unspec would do this for us */
1671 item = router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR,
1672 ADDR_POLICY_ACCEPT,
1673 &malformed_list);
1674 tt_assert(item);
1675 tt_assert(!malformed_list);
1676 smartlist_add(policy, item);
1677 item = router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR,
1678 ADDR_POLICY_ACCEPT,
1679 &malformed_list);
1680 tt_assert(item);
1681 tt_assert(!malformed_list);
1682 smartlist_add(policy, item);
1683 item = NULL;
1684
1685 e_policy = smartlist_new();
1686
1687 /*
1688 char *polstr = policy_dump_to_string(policy, 1, 1);
1689 printf("%s\n", polstr);
1690 tor_free(polstr);
1691 */
1692
1693 /* Parse the addresses */
1694 tor_addr_parse(&ipv4_addr, TEST_IPV4_ADDR_STR);
1695 tor_addr_parse(&ipv6_addr, TEST_IPV6_ADDR_STR);
1696 tor_addr_parse(&r_ipv4_addr, OTHER_IPV4_ADDR_STR);
1697 tor_addr_parse(&r_ipv6_addr, OTHER_IPV6_ADDR_STR);
1698 tor_addr_make_null(&n_ipv4_addr, AF_INET);
1699 tor_addr_make_null(&n_ipv6_addr, AF_INET6);
1700
1701 /* Test the function's address matching with IPv4 and IPv6 on */
1702 memset(&mock_options, 0, sizeof(or_options_t));
1703 mock_options.ClientUseIPv4 = 1;
1704 mock_options.ClientUseIPv6 = 1;
1705 mock_options.UseBridges = 0;
1706
1707 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0)
1708 == 1);
1709 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0)
1710 == 1);
1711 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0)
1712 == 0);
1713 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0)
1714 == 0);
1715
1716 /* Preferring IPv4 */
1717 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0)
1718 == 1);
1719 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0)
1720 == 0);
1721 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0)
1722 == 0);
1723 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0)
1724 == 0);
1725
1726 /* Preferring IPv6 */
1727 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1)
1728 == 0);
1729 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1)
1730 == 1);
1731 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1)
1732 == 0);
1733 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1)
1734 == 0);
1735
1736 /* Test the function's address matching with UseBridges on */
1737 memset(&mock_options, 0, sizeof(or_options_t));
1738 mock_options.ClientUseIPv4 = 1;
1739 mock_options.ClientUseIPv6 = 1;
1740 mock_options.UseBridges = 1;
1741
1742 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0)
1743 == 1);
1744 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0)
1745 == 1);
1746 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0)
1747 == 0);
1748 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0)
1749 == 0);
1750
1751 /* Preferring IPv4 */
1752 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 0)
1753 == 1);
1754 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 0)
1755 == 0);
1756 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 0)
1757 == 0);
1758 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 0)
1759 == 0);
1760
1761 /* Preferring IPv6 */
1762 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 1, 1)
1763 == 0);
1764 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 1, 1)
1765 == 1);
1766 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 1, 1)
1767 == 0);
1768 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 1, 1)
1769 == 0);
1770
1771 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1772 mock_options.ClientUseIPv4 = 1;
1773 mock_options.ClientUseIPv6 = 0;
1774 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0)
1775 == 1);
1776 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0)
1777 == 1);
1778 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0)
1779 == 0);
1780 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0)
1781 == 0);
1782
1783 /* Test the function's address matching with IPv4 on */
1784 memset(&mock_options, 0, sizeof(or_options_t));
1785 mock_options.ClientUseIPv4 = 1;
1786 mock_options.ClientUseIPv6 = 0;
1787 mock_options.UseBridges = 0;
1788
1789 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0)
1790 == 1);
1791 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0)
1792 == 0);
1793 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0)
1794 == 0);
1795 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0)
1796 == 0);
1797
1798 /* Test the function's address matching with IPv6 on */
1799 memset(&mock_options, 0, sizeof(or_options_t));
1800 mock_options.ClientUseIPv4 = 0;
1801 mock_options.ClientUseIPv6 = 1;
1802 mock_options.UseBridges = 0;
1803
1804 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0)
1805 == 0);
1806 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0)
1807 == 1);
1808 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0)
1809 == 0);
1810 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0)
1811 == 0);
1812
1813 /* Test the function's address matching with ClientUseIPv4 0.
1814 * This means "use IPv6" regardless of the other settings. */
1815 memset(&mock_options, 0, sizeof(or_options_t));
1816 mock_options.ClientUseIPv4 = 0;
1817 mock_options.ClientUseIPv6 = 0;
1818 mock_options.UseBridges = 0;
1819
1820 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, policy, 0, 0)
1821 == 0);
1822 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, policy, 0, 0)
1823 == 1);
1824 tt_assert(fascist_firewall_allows_address(&r_ipv4_addr, port, policy, 0, 0)
1825 == 0);
1826 tt_assert(fascist_firewall_allows_address(&r_ipv6_addr, port, policy, 0, 0)
1827 == 0);
1828
1829 /* Test the function's address matching for unusual inputs */
1830 memset(&mock_options, 0, sizeof(or_options_t));
1831 mock_options.ClientUseIPv4 = 1;
1832 mock_options.ClientUseIPv6 = 1;
1833 mock_options.UseBridges = 1;
1834
1835 /* NULL and tor_addr_is_null addresses are rejected */
1836 tt_assert(fascist_firewall_allows_address(NULL, port, policy, 0, 0) == 0);
1837 tt_assert(fascist_firewall_allows_address(&n_ipv4_addr, port, policy, 0, 0)
1838 == 0);
1839 tt_assert(fascist_firewall_allows_address(&n_ipv6_addr, port, policy, 0, 0)
1840 == 0);
1841
1842 /* zero ports are rejected */
1843 tt_assert(fascist_firewall_allows_address(&ipv4_addr, 0, policy, 0, 0)
1844 == 0);
1845 tt_assert(fascist_firewall_allows_address(&ipv6_addr, 0, policy, 0, 0)
1846 == 0);
1847
1848 /* NULL and empty policies accept everything */
1849 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, NULL, 0, 0)
1850 == 1);
1851 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, NULL, 0, 0)
1852 == 1);
1853 tt_assert(fascist_firewall_allows_address(&ipv4_addr, port, e_policy, 0, 0)
1854 == 1);
1855 tt_assert(fascist_firewall_allows_address(&ipv6_addr, port, e_policy, 0, 0)
1856 == 1);
1857
1858 done:
1859 addr_policy_free(item);
1860 addr_policy_list_free(policy);
1861 addr_policy_list_free(e_policy);
1862 UNMOCK(get_options);
1863 }
1864
1865 #undef REJECT_IPv4_FINAL_STR
1866 #undef REJECT_IPv6_FINAL_STR
1867 #undef OTHER_IPV4_ADDR_STR
1868 #undef OTHER_IPV6_ADDR_STR
1869
1870 #define TEST_IPV4_OR_PORT 1234
1871 #define TEST_IPV4_DIR_PORT 2345
1872 #define TEST_IPV6_OR_PORT 61234
1873 #define TEST_IPV6_DIR_PORT 62345
1874
1875 /* Check that fascist_firewall_choose_address_rs() returns the expected
1876 * results. */
1877 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1878 expect_ap) \
1879 STMT_BEGIN \
1880 tor_addr_port_t chosen_rs_ap; \
1881 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
1882 chosen_rs_ap.port = 0; \
1883 tt_int_op(fascist_firewall_choose_address_rs(&(fake_rs), \
1884 (fw_connection), \
1885 (pref_only), \
1886 &chosen_rs_ap), \
1887 OP_EQ, (expect_rv)); \
1888 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
1889 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
1890 STMT_END
1891
1892 /* Check that fascist_firewall_choose_address_node() returns the expected
1893 * results. */
1894 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
1895 expect_rv, expect_ap) \
1896 STMT_BEGIN \
1897 tor_addr_port_t chosen_node_ap; \
1898 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
1899 chosen_node_ap.port = 0; \
1900 tt_int_op(fascist_firewall_choose_address_node(&(fake_node), \
1901 (fw_connection), \
1902 (pref_only), \
1903 &chosen_node_ap), \
1904 OP_EQ, (expect_rv)); \
1905 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
1906 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
1907 STMT_END
1908
1909 /* Check that fascist_firewall_choose_address_rs and
1910 * fascist_firewall_choose_address_node() both return the expected results. */
1911 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
1912 expect_rv, expect_ap) \
1913 STMT_BEGIN \
1914 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1915 expect_ap); \
1916 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
1917 expect_ap); \
1918 STMT_END
1919
1920 /** Run unit tests for fascist_firewall_choose_address */
1921 static void
1922 test_policies_fascist_firewall_choose_address(void *arg)
1923 {
1924 (void)arg;
1925 tor_addr_port_t ipv4_or_ap, ipv4_dir_ap, ipv6_or_ap, ipv6_dir_ap;
1926 tor_addr_port_t n_ipv4_ap, n_ipv6_ap;
1927
1928 /* Setup the options */
1929 memset(&mock_options, 0, sizeof(or_options_t));
1930 MOCK(get_options, mock_get_options);
1931
1932 /* Parse the addresses */
1933 tor_addr_parse(&ipv4_or_ap.addr, TEST_IPV4_ADDR_STR);
1934 ipv4_or_ap.port = TEST_IPV4_OR_PORT;
1935 tor_addr_parse(&ipv4_dir_ap.addr, TEST_IPV4_ADDR_STR);
1936 ipv4_dir_ap.port = TEST_IPV4_DIR_PORT;
1937
1938 tor_addr_parse(&ipv6_or_ap.addr, TEST_IPV6_ADDR_STR);
1939 ipv6_or_ap.port = TEST_IPV6_OR_PORT;
1940 tor_addr_parse(&ipv6_dir_ap.addr, TEST_IPV6_ADDR_STR);
1941 ipv6_dir_ap.port = TEST_IPV6_DIR_PORT;
1942
1943 tor_addr_make_null(&n_ipv4_ap.addr, AF_INET);
1944 n_ipv4_ap.port = 0;
1945 tor_addr_make_null(&n_ipv6_ap.addr, AF_INET6);
1946 n_ipv6_ap.port = 0;
1947
1948 /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
1949 memset(&mock_options, 0, sizeof(or_options_t));
1950 mock_options.ClientUseIPv4 = 1;
1951 mock_options.ClientUseIPv6 = 1;
1952 mock_options.UseBridges = 0;
1953
1954 /* Prefer IPv4 */
1955 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
1956 FIREWALL_OR_CONNECTION, 0, 0)
1957 == &ipv4_or_ap);
1958 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
1959 FIREWALL_OR_CONNECTION, 1, 0)
1960 == &ipv4_or_ap);
1961 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
1962 FIREWALL_DIR_CONNECTION, 0, 0)
1963 == &ipv4_dir_ap);
1964 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 1,
1965 FIREWALL_DIR_CONNECTION, 1, 0)
1966 == &ipv4_dir_ap);
1967
1968 /* Prefer IPv6 */
1969 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
1970 FIREWALL_OR_CONNECTION, 0, 1)
1971 == &ipv6_or_ap);
1972 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
1973 FIREWALL_OR_CONNECTION, 1, 1)
1974 == &ipv6_or_ap);
1975 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
1976 FIREWALL_DIR_CONNECTION, 0, 1)
1977 == &ipv6_dir_ap);
1978 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &ipv6_dir_ap, 0,
1979 FIREWALL_DIR_CONNECTION, 1, 1)
1980 == &ipv6_dir_ap);
1981
1982 /* Unusual inputs */
1983
1984 /* null preferred OR addresses */
1985 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &n_ipv6_ap, 0,
1986 FIREWALL_OR_CONNECTION, 0, 1)
1987 == &ipv4_or_ap);
1988 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_or_ap, 1,
1989 FIREWALL_OR_CONNECTION, 0, 0)
1990 == &ipv6_or_ap);
1991
1992 /* null both OR addresses */
1993 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
1994 FIREWALL_OR_CONNECTION, 0, 1)
1995 == NULL);
1996 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
1997 FIREWALL_OR_CONNECTION, 0, 0)
1998 == NULL);
1999
2000 /* null preferred Dir addresses */
2001 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap, &n_ipv6_ap, 0,
2002 FIREWALL_DIR_CONNECTION, 0, 1)
2003 == &ipv4_dir_ap);
2004 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &ipv6_dir_ap, 1,
2005 FIREWALL_DIR_CONNECTION, 0, 0)
2006 == &ipv6_dir_ap);
2007
2008 /* null both Dir addresses */
2009 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 0,
2010 FIREWALL_DIR_CONNECTION, 0, 1)
2011 == NULL);
2012 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap, &n_ipv6_ap, 1,
2013 FIREWALL_DIR_CONNECTION, 0, 0)
2014 == NULL);
2015
2016 /* Prefer IPv4 but want IPv6 (contradictory) */
2017 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2018 FIREWALL_OR_CONNECTION, 0, 0)
2019 == &ipv4_or_ap);
2020 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 0,
2021 FIREWALL_OR_CONNECTION, 1, 0)
2022 == &ipv4_or_ap);
2023
2024 /* Prefer IPv6 but want IPv4 (contradictory) */
2025 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2026 FIREWALL_OR_CONNECTION, 0, 1)
2027 == &ipv6_or_ap);
2028 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap, &ipv6_or_ap, 1,
2029 FIREWALL_OR_CONNECTION, 1, 1)
2030 == &ipv6_or_ap);
2031
2032 /* Make a fake rs. There will be no corresponding node.
2033 * This is what happens when there's no consensus and we're bootstrapping
2034 * from authorities / fallbacks. */
2035 routerstatus_t fake_rs;
2036 memset(&fake_rs, 0, sizeof(routerstatus_t));
2037 /* In a routerstatus, the OR and Dir addresses are the same */
2038 fake_rs.addr = tor_addr_to_ipv4h(&ipv4_or_ap.addr);
2039 fake_rs.or_port = ipv4_or_ap.port;
2040 fake_rs.dir_port = ipv4_dir_ap.port;
2041
2042 tor_addr_copy(&fake_rs.ipv6_addr, &ipv6_or_ap.addr);
2043 fake_rs.ipv6_orport = ipv6_or_ap.port;
2044 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2045 ipv6_dir_ap.port = TEST_IPV4_DIR_PORT;
2046
2047 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2048 * find the node from the rs, because they're not in the hash table. */
2049 node_t fake_node;
2050 memset(&fake_node, 0, sizeof(node_t));
2051 fake_node.rs = &fake_rs;
2052
2053 /* Choose an address with IPv4 and IPv6 on */
2054 memset(&mock_options, 0, sizeof(or_options_t));
2055 mock_options.ClientUseIPv4 = 1;
2056 mock_options.ClientUseIPv6 = 1;
2057 mock_options.UseBridges = 0;
2058
2059 /* Preferring IPv4 */
2060 mock_options.ClientPreferIPv6ORPort = 0;
2061 mock_options.ClientPreferIPv6DirPort = 0;
2062 /* Simulate the initialisation of fake_node.ipv6_preferred */
2063 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2064 &mock_options);
2065
2066 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2067 ipv4_or_ap);
2068 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2069 ipv4_or_ap);
2070 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2071 ipv4_dir_ap);
2072 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2073 ipv4_dir_ap);
2074
2075 /* Auto (Preferring IPv4) */
2076 mock_options.ClientPreferIPv6ORPort = -1;
2077 mock_options.ClientPreferIPv6DirPort = -1;
2078 /* Simulate the initialisation of fake_node.ipv6_preferred */
2079 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2080 &mock_options);
2081
2082 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2083 ipv4_or_ap);
2084 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2085 ipv4_or_ap);
2086 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2087 ipv4_dir_ap);
2088 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2089 ipv4_dir_ap);
2090
2091 /* Preferring IPv6 */
2092 mock_options.ClientPreferIPv6ORPort = 1;
2093 mock_options.ClientPreferIPv6DirPort = 1;
2094 /* Simulate the initialisation of fake_node.ipv6_preferred */
2095 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2096 &mock_options);
2097
2098 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2099 ipv6_or_ap);
2100 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2101 ipv6_or_ap);
2102 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2103 ipv6_dir_ap);
2104 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2105 ipv6_dir_ap);
2106
2107 /* Preferring IPv4 OR / IPv6 Dir */
2108 mock_options.ClientPreferIPv6ORPort = 0;
2109 mock_options.ClientPreferIPv6DirPort = 1;
2110 /* Simulate the initialisation of fake_node.ipv6_preferred */
2111 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2112 &mock_options);
2113
2114 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2115 ipv4_or_ap);
2116 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2117 ipv4_or_ap);
2118 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2119 ipv6_dir_ap);
2120 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2121 ipv6_dir_ap);
2122
2123 /* Preferring IPv6 OR / IPv4 Dir */
2124 mock_options.ClientPreferIPv6ORPort = 1;
2125 mock_options.ClientPreferIPv6DirPort = 0;
2126 /* Simulate the initialisation of fake_node.ipv6_preferred */
2127 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2128 &mock_options);
2129
2130 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2131 ipv6_or_ap);
2132 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2133 ipv6_or_ap);
2134 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2135 ipv4_dir_ap);
2136 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2137 ipv4_dir_ap);
2138
2139 /* Choose an address with UseBridges on */
2140 memset(&mock_options, 0, sizeof(or_options_t));
2141 mock_options.UseBridges = 1;
2142 mock_options.ClientUseIPv4 = 1;
2143 mock_options.ClientUseIPv6 = 1;
2144
2145 /* Preferring IPv4 */
2146 mock_options.ClientPreferIPv6ORPort = 0;
2147 mock_options.ClientPreferIPv6DirPort = 0;
2148 /* Simulate the initialisation of fake_node.ipv6_preferred */
2149 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2150 &mock_options);
2151
2152 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2153 ipv4_or_ap);
2154 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2155 ipv4_or_ap);
2156 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2157 ipv4_dir_ap);
2158 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2159 ipv4_dir_ap);
2160
2161 /* Auto:
2162 * - bridge clients prefer the configured bridge OR address from the node,
2163 * (the configured address family sets node.ipv6_preferred)
2164 * - other clients prefer IPv4 OR by default (see above),
2165 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2166 */
2167 mock_options.ClientPreferIPv6ORPort = -1;
2168 mock_options.ClientPreferIPv6DirPort = -1;
2169
2170 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2171 * configured with an IPv4 address */
2172 fake_node.ipv6_preferred = 0;
2173 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2174 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2175 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2176 ipv4_dir_ap);
2177 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2178 ipv4_dir_ap);
2179
2180 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2181 * configured with an IPv6 address */
2182 fake_node.ipv6_preferred = 1;
2183 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2184 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2185 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2186 ipv4_dir_ap);
2187 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2188 ipv4_dir_ap);
2189
2190 /* When a rs has no node, it defaults to IPv4 under auto. */
2191 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2192 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2193 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2194 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2195
2196 /* Preferring IPv6 */
2197 mock_options.ClientPreferIPv6ORPort = 1;
2198 mock_options.ClientPreferIPv6DirPort = 1;
2199 /* Simulate the initialisation of fake_node.ipv6_preferred */
2200 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2201 &mock_options);
2202
2203 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2204 ipv6_or_ap);
2205 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2206 ipv6_or_ap);
2207 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2208 ipv6_dir_ap);
2209 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2210 ipv6_dir_ap);
2211
2212 /* In the default configuration (Auto / IPv6 off), bridge clients should
2213 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2214 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2215 mock_options.ClientUseIPv6 = 0;
2216 mock_options.ClientPreferIPv6ORPort = -1;
2217 mock_options.ClientPreferIPv6DirPort = -1;
2218 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2219 * configured with an IPv4 address */
2220 fake_node.ipv6_preferred = 0;
2221 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2222 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2223 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2224 ipv4_dir_ap);
2225 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2226 ipv4_dir_ap);
2227
2228 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2229 * configured with an IPv6 address */
2230 fake_node.ipv6_preferred = 1;
2231 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 0, 1, ipv6_or_ap);
2232 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_OR_CONNECTION, 1, 1, ipv6_or_ap);
2233 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2234 ipv4_dir_ap);
2235 CHECK_CHOSEN_ADDR_NODE(fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2236 ipv4_dir_ap);
2237
2238 /* When a rs has no node, it defaults to IPv4 under auto. */
2239 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 0, 1, ipv4_or_ap);
2240 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_OR_CONNECTION, 1, 1, ipv4_or_ap);
2241 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 0, 1, ipv4_dir_ap);
2242 CHECK_CHOSEN_ADDR_RS(fake_rs, FIREWALL_DIR_CONNECTION, 1, 1, ipv4_dir_ap);
2243
2244 /* Choose an address with IPv4 on */
2245 memset(&mock_options, 0, sizeof(or_options_t));
2246 mock_options.ClientUseIPv4 = 1;
2247 mock_options.ClientUseIPv6 = 0;
2248 /* Simulate the initialisation of fake_node.ipv6_preferred */
2249 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2250 &mock_options);
2251
2252 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2253 ipv4_or_ap);
2254 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2255 ipv4_or_ap);
2256 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2257 ipv4_dir_ap);
2258 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2259 ipv4_dir_ap);
2260
2261 /* Choose an address with IPv6 on */
2262 memset(&mock_options, 0, sizeof(or_options_t));
2263 mock_options.ClientUseIPv4 = 0;
2264 mock_options.ClientUseIPv6 = 1;
2265 /* Simulate the initialisation of fake_node.ipv6_preferred */
2266 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2267 &mock_options);
2268
2269 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2270 ipv6_or_ap);
2271 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2272 ipv6_or_ap);
2273 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2274 ipv6_dir_ap);
2275 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2276 ipv6_dir_ap);
2277
2278 /* Choose an address with ClientUseIPv4 0.
2279 * This means "use IPv6" regardless of the other settings. */
2280 memset(&mock_options, 0, sizeof(or_options_t));
2281 mock_options.ClientUseIPv4 = 0;
2282 mock_options.ClientUseIPv6 = 0;
2283 /* Simulate the initialisation of fake_node.ipv6_preferred */
2284 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2285 &mock_options);
2286
2287 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2288 ipv6_or_ap);
2289 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2290 ipv6_or_ap);
2291 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2292 ipv6_dir_ap);
2293 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2294 ipv6_dir_ap);
2295
2296 /* Choose an address with ORPort_set 1 (server mode).
2297 * This means "use IPv4" regardless of the other settings. */
2298 memset(&mock_options, 0, sizeof(or_options_t));
2299 mock_options.ORPort_set = 1;
2300 mock_options.ClientUseIPv4 = 0;
2301 mock_options.ClientUseIPv6 = 1;
2302 mock_options.ClientPreferIPv6ORPort = 1;
2303 mock_options.ClientPreferIPv6DirPort = 1;
2304
2305 /* Simulate the initialisation of fake_node.ipv6_preferred */
2306 fake_node.ipv6_preferred = fascist_firewall_prefer_ipv6_orport(
2307 &mock_options);
2308
2309 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 0, 1,
2310 ipv4_or_ap);
2311 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_OR_CONNECTION, 1, 1,
2312 ipv4_or_ap);
2313 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 0, 1,
2314 ipv4_dir_ap);
2315 CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, FIREWALL_DIR_CONNECTION, 1, 1,
2316 ipv4_dir_ap);
2317
2318 done:
2319 UNMOCK(get_options);
2320 }
2321
2322 #undef TEST_IPV4_ADDR_STR
2323 #undef TEST_IPV6_ADDR_STR
2324 #undef TEST_IPV4_OR_PORT
2325 #undef TEST_IPV4_DIR_PORT
2326 #undef TEST_IPV6_OR_PORT
2327 #undef TEST_IPV6_DIR_PORT
2328
2329 #undef CHECK_CHOSEN_ADDR_RS
2330 #undef CHECK_CHOSEN_ADDR_NODE
2331 #undef CHECK_CHOSEN_ADDR_RN
2332
2333 struct testcase_t policy_tests[] = {
2334 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0,
2335 NULL, NULL },
2336 { "general", test_policies_general, 0, NULL, NULL },
2337 { "getinfo_helper_policies", test_policies_getinfo_helper_policies, 0, NULL,
2338 NULL },
2339 { "reject_exit_address", test_policies_reject_exit_address, 0, NULL, NULL },
2340 { "reject_interface_address", test_policies_reject_interface_address, 0,
2341 NULL, NULL },
2342 { "reject_port_address", test_policies_reject_port_address, 0, NULL, NULL },
2343 { "fascist_firewall_allows_address",
2344 test_policies_fascist_firewall_allows_address, 0, NULL, NULL },
2345 { "fascist_firewall_choose_address",
2346 test_policies_fascist_firewall_choose_address, 0, NULL, NULL },
2347 END_OF_TESTCASES
2348 };
2349
The Onion Router